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Abstract 



We study the problem of privacy amplification with an active adversary in the information 
theoretic setting. In this setting, two parties Alice and Bob start out with a shared n-bit 
weak random string W , and try to agree on a secret random key R over a public channel fully 
controlled by an active and unbounded adversary. Typical assumptions are that these two 
parties have access to local private uniform random bits. In this paper we seek to minimize the 
requirements on the local randomness used by the two parties. 

We make two improvements over previous results. First, we reduce the number of random 
bits needed for each party to <d(£ + logn), where I is the security parameter, as long as W has 
min-entropy n n W. Previously, the best known result needs to use 6((£ + logn)logn) bits. Our 
result is also asymptotically optimal. Second, we generalize the problem to the case where the 
two parties only have local weak random sources instead of truly uniform random bits. We 
show that when each party has a local weak random source with min-entropy > n/2, there is an 
efficient privacy amplification protocol that works nearly as good as if the two parties have access 
to local uniform random bits. Next, in the case where each party only has a weak random source 
with arbitrarily linear min-entropy, we give an efficient privacy amplification protocol where we 
can achieve security parameter up to fi(logfc). Our results give the first protocols that achieve 
privacy amplification when each party only has access to a local weak random source. 
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1 Introduction 



The problem of privacy amplification, introduced in a paper by Bennett, Brassard, and Robert 
[BBR88] , is a fundamental problem in symmetric key cryptography. In symmetric key cryptography, 
two parties (Alice and Bob) share an re-bit secret W and they wish to communicate over a public 
channel controlled by an adversary Eve. The goal is to make the communication private and 
authentic. While this problem is well studied in cryptography, standard solutions require that W 
is perfectly uniform. The problem of privacy amplification, on the other hand, assumes that W 
is not uniform and is some arbitrary probability distribution. As in [BBCM95], in this paper we 
only require that W has a certain amount of entropy 1 . The goal now is for Alice and Bob to agree 
on a string R, that is nearly uniform and secret, so that standard solutions can be evoked. This 
problem is natural and important for the following reasons. 

First, in practice many secrets are not uniformly distributed. In fact, despite the fact that 
randomness plays a very important role in computer science, it is not clear how to obtain uniform 
random bits in the real world. Many random like behaviors, such as weather patterns, biometrics, 
human-memorable passphrases and market prices are highly biased distributions. Second, even if 
the two parties manage to acquire a shared uniform random string, it could be compromised to 
some extent. For example the adversary can use side-channel attacks against the hardware. In this 
case it is often reasonable to assume that the adversary does not learn the entire information of 
the secret (otherwise security is completely lost), and that the secret has some amount of entropy 
left. The problem of privacy amplification thus arises naturally in either of these cases. 

To study this problem, it is necessary to model the adversary. One possibility is to assume 
that the adversary is computationally bounded, so that cryptographic assumptions and primitives 
can be used [BMPOO, KOY01, CHK + 05, GL06]. On the other hand, in this paper we make no 
computational assumptions and instead assume that the adversary is computationally unbounded. 
Thus here we are studying the problem in the information theoretic setting. 

We can also model the adversary as being passive or active. A passive adversary just listens 
to the communication over the channel and does not change anything. An active adversary, on 
the other hand, can modify the communication in arbitrary ways. We note that in the case of a 
passive adversary, strong extractors [NZ96] can be used to give an optimal solution to this problem. 
However in this paper, we assume that the adversary is active. 

With an active and computationally unbounded adversary, the problem becomes considerably 
harder. To see this, note that now the adversary can modify the messages sent through the channel 
in a computationally unbounded way. Therefore not only do we have to guarantee that Alice and 
Bob each obtains a string that is close to private and uniform, but also we need to make sure that 
they agree on this string with high probability. Following [KR09, CKOR10], below we give the 
formal definition of a privacy amplification protocol in this case. 

Let w G {0, l} n be the secret string shard by Alice and Bob, and w is sampled according to a 
distribution W. Let Protocol (Pa, Pb) be executed in the presence of an active adversary Eve. Let 
V a denote the random variable that describes Alice's view of the communication when (Pa,Pb) 
is executed and define Vj, likewise. We use small letters v a ,Vb to denote specific values of V a ,Vf,. 
The private randomness of Alice and Bob are denoted by x and y respectively. Alice's output 
is denoted by = PA(w,v a ,x) and Bob's output is denoted by re = PB(w,Vb,y) (if successful, 
both outputs will be of length A^; rejection will be denoted by symbol _L). Let V denote Eve's 

1 We use standard notions of min-entropy. 
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view of the protocol. Since Eve is computationally unbounded, we can simply assume that Eve is 
deterministic. 

Definition 1.1. [KR09, CKOR10] An interactive protocol (P A ,P B ) played by Alice and Bob 
on a communication channel fully controlled by an active adversary Eve, is a (k, 5,e)-privacy 
amplification protocol if it satisfies the following properties whenever H^iW) > k: 

1. Correctness. If Eve is passive, then Pi[R A = Rb] = 1- 

2. Robustness. The probability that the following experiment outputs "Eve wins" is at most 
5: sample w from W; let v a ,Vb be the communication upon execution of {P a ,Pb) with Eve 
actively controlling the channel, and let r A = P A (w, v a , x), tb = P B {w, f&j y)- Output "Eve 
wins" if {r A i^rB Ar A 7^ J- Are 7^-L). 

3. Extraction. Letting V denote Eve's view of the protocol, 

\(R A ,V\R A - (U Xk ,V)\ < e 

and 

\(R B ,V\R B ^-L) - (U Xk ,V)\ <e. 
I = log(l/5) is called the security parameter of the protocol. 

To build such protocols, an important ingredient is an interactive authentication protocol. In 
such a protocol, Alice takes a message m as input and tries to authenticate the message to Bob 
over the channel. Bob obtains message at the end of the protocol. We now give the formal 
definition of such a protocol. 

Definition 1.2. [KR09, CKOR10] An interactive protocol (P A ,P B ) played by Alice and Bob 
on a communication channel fully controlled by an active adversary Eve, is a (k,£)- inter 'active 
authentication protocol if it satisfies the following properties whenever HaaiW) > k: 

1. Correctness. If Eve is passive, then Pr[m# = m] = 1. 

2. Robustness. The probability that the following experiment outputs "Eve wins" is at most 
2~ e : sample w from W; let v a ,Vb be the communication upon execution of (P a ,Pb) with 
Eve actively controlling the channel, and let tub = PB(w,Vb,y). Output "Eve wins" if 
(rag / m A tub 7^-L). 

Again £ is called the security parameter of the protocol. 

It is shown in [KR09] that if we have a (k, £) interactive authentication protocol for messages of 
length 0(£ + logn), then it can be used to construct a (k, 2 _f , e) privacy amplification protocol. 

As shown in the definitions, in the setting of privacy amplification with an active adversary, 
typical assumptions are that Alice and Bob have access to local (non-shared) uniform random bits. 
The first protocol given for this problem is due to Maurer and Wolf [MW97], which works as long 
as W has entropy k > ^ . This was later improved to k > ^ in [DKRS06] . Both of these protocols 
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are single-rounded. In [DW09] it is shown that no single round protocol exists if the secret W has 
entropy k < §. 

The first protocol that can handle k < n/2 (in fact, any k > polylog(n)) is due to Renner and 
Wolf [RW03]. In that paper they constructed a protocol using Q(£ + logn) rounds of interaction, 
where £ is the security parameter. Later, several improvements appeared [KR09, DW09, CKOR10]. 
These papers intend to optimize different parameters in the protocol. For example, although 
achieving the same asymptotical behavior, [KR09] considerably improves the constants hidden in 
0, and thus makes the protocol much more practical. [DW09] reduces the number of rounds 
needed to just two. [CKOR10] improves the entropy loss of the protocol to Q(£ + logn), which is 
asymptotically optimal. 

In this paper, we seek to minimize the requirements on the local randomness used by Alice and 
Bob. Specifically, we ask the following two questions. 

Question 1: What is the minimum number of random bits that Alice and Bob have 
to use, to ensure a protocol of security parameter £? 

For this question, previous results all require at least Q((£ + logn) logn) local random bits for 
Alice and Bob. Specifically, the works of [RW03], [KR09] and [DW09] require 9((£ + logn) 2 ) bits. 
The work of [CKOR10] requires 0((£ + logn) logn) bits. We note that non-constructively, by using 
the non-malleable extractor proposed in [DW09], there is a protocol that simultaneously achieves 
the optimal randomness complexity of Q{£ + logn), the optimal round complexity of two and the 
optimal entropy loss of Q(£ + logn). 

Question 2: Can Alice and Bob still agree on a nearly uniform secret key, if they 
only have access to local weak random sources, instead of truly uniform random bits? 

For this question, as far as we know, there are no results that give a positive answer until now. 
All previous results require that Alice and Bob have access to local truly uniform random bits. 

These questions are natural and important, for the same reasons that we have discussed above. 
First, it is not clear how to obtain uniform random bits in the real world. Not to mention a large 
number of uniform random bits. Thus we would like to know what is the minimum number of 
random bits that Alice and Bob need. Second, it is most likely that Alice and Bob only have access 
to local weak random sources instead of truly random bits, either because weak random sources are 
the best they can get, or because their local random bits are compromised by side channel attacks. 
Thus we would like to know whether privacy amplification is still possible in this case. We feel that 
this is a new and important direction, as all previous works are taking for granted that Alice and 
Bob have access to a large number of truly uniform random bits, which could be far from true in 
practice. In this paper, we make the first effort towards minimizing the requirements on the local 
randomness used by Alice and Bob. 

1.1 Our Contribution 

For the first question, we show that Q(£ + logn) local random bits suffice to achieve security 
parameter £, as long as the entropy of W is at least n@ for an arbitrary constant < /3 < 1. Thus 
our result improves the previous best result by a logn factor. This is also asymptotically optimal, 
because Q(£ + logn) bits are needed to extract random bits from a general weak random source 
and achieve error 2~ i . Specifically, we have the following theorem. 

Theorem 1.3. For all positive integers n,£ and every < 7 < /3 < 1, assume that Alice and Bob 
share an (n,k) weak random source W with k > n 13 . Then there exists an efficient (k, Afc, 2~ e , e) 
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privacy amplification protocol, where the total number of random bits that Alice and Bob use is 
Q(£ + logn). The entropy loss of the protocol is n 7 (^ + logn) and the length of the extracted key is 
\ k = k- n'{l + logra) - 0(log(l/e)). 

Remark 1.4. Note that in the case where £ > n 7 , our protocol actually achieves better entropy 
loss than those of [RW03, KR09, DW09]. 

For the second question, we show that 

1. Non constructively, we can do as good as if Alice and Bob have access to local random 
bits. Specifically, if Alice and Bob have two independent (n, k) sources and they share an 
independent (n, k) source, then there is a (possibly inefficient) protocol that achieves privacy 
amplification up to security parameter Q(k). 

2. If Alice and Bob have two independent (n, (| + S)n) sources and they share an independent 
(n, k) source, then there is an explicit protocol that achieves privacy amplification up to 
security parameter k^\ 

3. If Alice and Bob have two independent (n, 5n) sources and they share an independent (n, k) 
source, then there is an explicit protocol that achieves privacy amplification up to security 
parameter O(logfc). 

Specifically, we have the following theorems. 

Theorem 1.5. For all positive integers n,k where k > log(n), assume that Alice and Bob have 
two independent local (n,k) sources, and they share an independent (n,k) source W. Then non- 
constructively there exists a (k, k — 0(logra+log(l/<5)+log(l/e)), 8, e) privacy amplification protocol. 

Theorem 1.6. For all positive integers n, k where k > polylog(n) and any constant < <5 < 1, 
assume that Alice and Bob have two independent local (n, (1/2 + 5)n) sources, and they share an 
independent (n,k) source W. Then there exists an efficient (k,k — k n ^\ 2~ fc " (1) , 2~ fcn(1) ) privacy 
amplification protocol. 

Theorem 1.7. For all positive integers n, k where k > polylog(n) and any constant < 5 < 1, 
assume that Alice and Bob have two independent local (n, 5n) sources, and they share an inde- 
pendent (n, k) source W . Then there exists an efficient (k, k — k n ^\ l/poly(/c), l/poly(fc)) privacy 
amplification protocol. 

Our results are the first results to give protocols that achieve privacy amplification when Alice 
and Bob only have access to local weak random sources. 

Table 1 summarizes our results compared to some previous results, assuming the security pa- 
rameter is I. 

1.2 Overview of the Constructions and Techniques 

Here we give a brief discussion of the constructions and the techniques that we use. First we 
show how we reduce the number of random bits used. For simplicity we focus on the case where 
t = O(logn). Thus to use the protocols in [KR09], Alice needs to authenticate &(£) bits to Bob 
and we want to use only Q(£) local random bits. 
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Construction 


Entropy of W 


Local randomness 


Rounds 


Entropy loss 


Optimal, non-explicit 


k > logn 


&(£ + logn) bits 


2 


&(£ + \ogn) 


Optimal, non-explicit 


k > logn 


(n, k > log n)-source 


2 


6^ + logn) 


[MW97] 


k > 2n/3 


(n — k) bits 


1 


(n — k) 


[DKRS06] 


k > n/2 


(n — k) bits 


1 


(n — k) 


[RW03, KR09] 


k > polylog(n) 


0((^ + logn) 2 ) bits 


G(^ + logn) 


6((^ + logn) 2 ) 


[DW09] 


k > polylog(n) 


0((^ + logn) 2 ) bits 


2 


®({£ + \ogn) 2 ) 


[CKOR10] 


k > polylog(n) 


&((£ + log n) log n) bits 


G(^ + logn) 


Q(£ + \ogn) 


This paper 


k>n^ 


Q(£ + \ogn) bits 


6^ + logn) 


rf(£ + logn) 


This paper 


k > polylog(n) 


(n, (1/2 + 5)n))-source 


2 




This paper 


k > polylog(n) 


(n, <5n)-source 


e(iogfc) 


k u w,e = n(iogfc) 



Table 1: Summary of Results on Privacy Amplification with an Active Adversary 



1.2.1 Reducing the Number of Local Random Bits 

Our starting point is the protocol in [CKOR10], which builds upon the protocols in [RW03, KR09]. 
Let's first briefly review that protocol. First by the results in [RW03, KR09], to achieve security 
parameter £ it suffices to give an interactive authentication protocol in which Alice an authenticate 
Q(£ + logn) bits to Bob, such that the probability that Eve can successfully change the message is 
at most 2~ l . To do this, the protocol in [CKOR10] starts by encoding the message m into an error 
correcting code for edit errors. The codeword has length 0{£) and the edit distance between any 
two different codewords is £l(£). 

Next, in the protocol Alice sends the encoded message to Bob bit by bit. Sending each bit takes 
one round. In each round, Alice and Bob each sends out a fresh random seed. The seed is used 
in a strong extractor to extract some constant c number of random bits from W. The analysis 
goes by arguing that for Eve to change the codeword to a different one, Eve has to make Q(£) edit 
operations. Among these operations a constant fraction will result in Eve answering a challenge 
(coming up with a fresh output of the extractor), which Eve can only succeed with probability 
roughly 2~ c . Therefore the overall success probability of Eve is roughly (2 _c ) n W = 2" Since 
the seed for an extractor has to be at least logn bits long, the total random bits used by Alice or 
Bob is Q. ( {£ + log n) log n) . 

Looking carefully into the analysis, we see that this protocol is actually wasting random bits 
in the following sense: in each round it uses log n fresh random bits, but if Eve has to answer a 
challenge, her success probability only goes down by a factor of 2~ c for some constant c > 1. On 
the other hand, we know that fi(logn) bits suffice to extract random bits from W and achieve 
error l/poly(n). Thus intuitively we would like Eve's success probability to go down by a factor of 
l/poly(n) each time she answers a challenge (note that the factor cannot be smaller than the error 
of the extractor) . Another way of saying this is that if somehow magically we have extractors with 
seed length O(l) that achieve error 2 _c , then the number of random bits that Alice and Bob need 
would be 0(£), which is optimal. However of course it's impossible to build such extractors. 

Thus we want to fully exploit the random bits used. Suppose we can use Q(t) bits (t = f2(log n)) 
to make Eve's success probability go down by a factor of 2~^^ (this is the best we can hope for, 
since this is the error of the extractor with seed length 0(t)) each time she answers a challenge, 
then we only need Q(£/t) steps to make it decrease to 2 _£ . Thus the random bits needed will be 
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0(t)-&(£/t) = &(£). 

To achieve this goal, we design a new way for Alice to authenticate a message to Bob bit by bit. 
Again we encode the message m into an error correcting code for edit errors, as in [CKOR10]. The 
codeword has length Q(£). Now our protocol proceeds in phases. In each phase Alice and Bob use 
0(t) fresh random bits, for some chosen parameter t = f2(logri). Since we want the total number 
of random bits used to be Q(£), we can only use Q(£/t) phases. Thus in each phase Alice needs to 
send O(i) bits to Bob. We actually design the protocol such that in each phase, Alice sends exactly 
t bits to Bob. 

In each phase, the protocol does the following. In the beginning Alice sends t fresh random bits 
X to Bob. Bob also sends t fresh random bits Y to Alice. Of course what they actually receive may 
be different, say Y' for Alice and X' for Bob. Alice then computes Ext(W, Y') and Bob computes 
Ext(W, X'), where Ext is a strong seeded extractor. Locally Alice computes the correct Ext(W,X) 
and Bob computes the correct Ext(W, Y). 

We then define three set of integers C u = 2 3i ~ 2 t, C 2i = 2 3i ~H, C 3i = 2 3i t for i = 1, • • • ,t. Note 
that a phase consists of t rounds and in round i we are going to use the three numbers Cu, Cu, C 3 i 
to transfer a bit from Alice to Bob. Here's how we do it: if the bit is 0, Alice sends and the prefix 
of Ext(W,Y') of length Cu to Bob; if the bit is 1 then Alice sends 1 and the prefix of Ext(W,Y') 
of length Cu to Bob. Bob then receives the message, and checks if the prefix matches the prefix 
of Ext(W, Y) in either case. If it doesn't match, Bob will abort and output _L. Otherwise Bob 
responds to Alice with the prefix of Ext(VF, X') of length C 3 i and Alice checks if the prefix matches 
the prefix of Ext(W, X). If it doesn't match, Alice will abort and output _L. If neither of them 
aborts then this round is over and they move on to the next round. 

We now want to argue that some of Eve's edit operations will result in Eve answering a challenge, 
and Eve's success probability of answering a challenge is roug hly 2^ l \ Intuitively, the reason is 
as follows. Note that the numbers Cu,Cn,C 3 i have the property that if we arrange them into 
a sequence Cu, C21, C31, C12, C22, C32, • • • , then the next number is always twice as large as the 
previous number. This means that the length of the prefix in the protocol increases by a factor of 
2 each time. Now take for example that Eve is making an insert operation in round i, then Bob 
is expecting the prefix of Ext (IV, Y) of length at least Cu (in the case). On the other hand, the 
total number of bits of information that Eve can use is at most C 3 u_\\ + CV^—i) = 3Cij/4 (a prefix 
of Ext(W)X') and a prefix of Ext(W,Y'). Note that X and Y here are independent of Ext(W, Y) 
by the strong extractor property, thus they do not give any information of Ext(W,Y). So are the 
bits that Alice tries to send to Bob). Since Ext(W, Y) is close to uniform Eve has to come up 
with at least Cu — 3Cu/^ = Cu/4 > t/2 new random bits. Therefore Eve's success probability 
is roug hly 2" Q W. The case of deletion and changing to 1 are similar, because we have chosen 
{Cu}, {C2i}, {Csi} such that a number is always greater than the sum of its previous two numbers. 
The only case where Eve might succeed with probability 1 is the case of changing from 1 to 0. 
However as in the context of [KR09, CKOR10] the number of l's in the message is known to Bob. 
Therefore Eve cannot always make operations of changing from 1 to 0. 

The actual analysis is more complicated, since after some operations made by Eve, the round 
number of Alice and Bob may not be the same. In fact they might not even be in the same phase 
and we have to do the analysis in Eve's view. Nevertheless the above discussion captures the main 
ideas behind the analysis. In Eve's view, we define a phase as the rounds from the one where either 
Alice or Bob starts a new phase, to the one before the next round where either Alice or Bob starts 
a new phase. The key point here is that in a new phase, either Alice or Bob will announce a fresh 
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random seed. Suppose Alice does and the fresh random seed is X. Now conditioned on the fixings 
of all previous transcript, X is uniform, W has a lot of entropy left and is independent of X. Thus 
Ext(W, X) is close to uniform conditioned on all previous transcript. Hence whenever Eve has to 
answer a challenge, her success probability is at most 2~ n ^ by the above analysis. Now again 
by the property of the error correcting code, Eve has to make edit operations to change one 
codeword to another. Intuitively these operations will go into Q(£/t) phases. We again show that 
for a constant fraction of these phases, Eve has to answer at least one challenge. Thus the overall 
success probability of Eve is at most (2 -n M)^/* = 2~ n ^ . 

Note that the total entropy loss of the protocol is something like 2 3t £. Thus we can choose 
t = 0(logn) and the entropy loss of the protocol will be rfll for an arbitrary constant < 7 < 1. 
Therefore we need the entropy of W to be at least n" for an arbitrary constant < f3 < 1. 

1.2.2 Using Local Weak Random Sources 

Here what we do is to try to reduce the case to where Alice and Bob have access to local private 
random bits. In other words, we want to design a protocol such that at the end of the protocol, 
Alice and Bob end up with nearly private and random bits, while their shared secret W still has 
a lot of entropy left. Non-constructively, this is simple, because non-constructively there exists 
strong two-source extractors for min-entropy as small as k > logra. If we have a strong two-source 
extractor, then Alice and Bob just each applies this extractor to his or her own source and W. By 
the property of the strong two-source extractor, even conditioned on W, their outputs are close to 
uniform. Moreover, conditioned on W their outputs are deterministic functions of their own sources, 
and are thus independent. Eve also knows nothing about their outputs since all computations are 
private. Thus we are done. In another case where Alice and Bob each has an independent source 
with entropy k = (1/2 + S)n, a construction of Raz [Raz05] serves as a strong two source extractor. 
Thus in this case we have an explicit protocol. 

The hard case is where Alice and Bob only have independent sources with entropy k = Sn. Our 
starting point here is how we can construct an extractor for these three sources X, Y and W. In 
other words, let's first forget about the communication problem and see how we can get a 3-source 
extractor. 

Since X has linear min-entropy, a standard approach would be to convert X into a somewhere 
high entropy (say entropy rate 0.9) source X, using the condenser based on the sum-product 
theorem [BKS + 05, Zuc07]. X is a matrix with a constant number of rows such that at least one 
of the rows has entropy rate 0.9. Once we have this, we can apply Raz's extractor to each row of 
X and W, and we get a somewhere random source with a constant number of rows. Now we can 
extract from such a source and an independent weak random source using the two-source extractor 
in [BRSW06]. 

So now how do we use these ideas in the case where Alice and Bob are separated by a channel 
controlled by an active adversary Eve? As a first step, we still convert X and Y into somewhere 
high entropy (say entropy rate 0.9) sources X and Y with D = 0(1) rows. Next we apply Raz's 
extractor to each row of X and W, and each row of Y and W. Thus we get two somewhere random 
sources SR X and SRy. Note that since Raz's extractor is a strong two-source extractor, the random 
rows in SR X and SRy are close to being independent of W. This is important for us. 

Next, we have Alice authenticate a string to Bob. To do this, we want to use the authentication 
protocol we discussed in the previous section. However, now Alice and Bob don't have access to 
random bits. The important observation here is that they have somewhere random sources. In 
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particular, the random rows of SR X and SR y can be used as seeds for a strong seeded extractor in 
the authentication protocol (since they are independent of W). Of course we don't know which row 
is the random row, thus we take a slice from the somewhere random sources with small width (so 
that X and Y don't lose much entropy) and use these slices in the authentication protocol. We call 
these slices X\ and Y\. How do we use them? As before Alice and Bob announce their slices to each 
other and each time they communicate, they compute prefixes of the outputs of an extractor. They 
then check if the prefixes they received match the prefixes they compute locally. Only this time we 
apply the extractor to W using each row of the slice as a seed. Thus the output of the extractor is 
also a matrix of D rows. Since the random row of the slice is close to being independent of W, the 
output of the extractor is also somewhere random. Next, instead of increasing the length of the 
prefix by a factor of 2 each time, we increase the length of the prefix by a factor of 2D, because 
each time Alice or Bob reveals a matrix of D rows. Now as before to answer a challenge Eve has 
to come up with the random row in the output of the extractor, whose length is larger than the 
total number of bits revealed so far. Therefore Eve can only succeed with a small probability. One 
thing to note here is that we don't use the error correcting code as in the previous section. All we 
need is to make sure that Eve has to answer at least one challenge. Given this protocol, Alice uses 
it to send another small slice of SR X to Bob, and Bob uses this slice to extract random bits from 
his own source. We call this slice Xi- 

There are two problems with the above discussion. First, the small slice X2 sent by Alice may 
not be independent of W or the random row of the extractor output. Second, since each time the 
length of the prefix increases by a factor of 2D and each time we want fresh entropy in the extractor 
output, Alice can only send a log A; bits with some a < 1, where k is the entropy of W. With this 
small number of bits it's not clear how Bob can extract random bits from his own source. 

For the first problem, we show that although the small slice X2 sent by Alice may not be 
independent of W or the random row of the extractor output, with high probability over the 
fixings of X2, the random row of the extractor output has very high min-entropy. This is mainly 
because the length of X2 is very small compared to the extractor output. Thus a typical fixing of it 
doesn't reduce the entropy of the random row of the extractor output by much. Now we can show 
that with correct parameters, the high min-entropy row of the extractor output still suffices for 
authentication. Thus for a typical value of the small slice, the success probability of Eve changing 
it is still small. Note now Eve may be able to actually change a small probability mass of the slice 
sent by Alice, but that doesn't hurt us much. This is different from the case where Alice and Bob 
have local random bits. For the second problem, luckily Bob also has a somewhere random source 
SRy. Thus we can take a small slice Y2 of SR y so that the two-source extractor from [BRSW06] 
can be used to extract random bits from these two sources. 

Now suppose that Bob correctly received the small slice X2 sent by Alice, and Bob takes a 
small slice Y2 of his somewhere random source. Let the output of the [BRSW06] extractor be R. 
We first fix W and now X2 and Y2 are deterministic functions of X and Y respectively, and are 
thus independent. Moreover X2 is somewhere random. Thus R is close to uniform. Furthermore, 
since the two source extractor from [BRSW06] is strong, we can now fix Y2 and conditioned on 
this fixing, R is still close to uniform. Now R is a deterministic function of X. Note that now all 
strings revealed by Bob are functions of Y\ and X\ (since W is fixed), and Y\ is a deterministic 
function of Y and has small size. Thus we can further fix Y\ and conditioned on this fixing, R 
is still close to uniform and is independent of Y . Moreover Y has a lot of entropy left and all 
the strings revealed by Bob are now deterministic functions of X±. Therefore now we can apply a 
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strong seeded extractor to Y and R and Bob obtains S y . Note that we can condition on R and 
S y is still close to uniform by the strong extractor property. Now S y is a deterministic function of 
Y and is thus independent of all the transcripts revealed so far, and X. Thus Bob has obtained 
random bits that are close to uniform and private. 

We actually cheated a little bit above, because again the size of R is very small compared to Y. 
Thus we won't be able to apply a seeded extractor to Y and R. However we can fix this problem 
by taking a slice Y3 of SR y . The size of Y3 is much larger compared to the length of the transcript, 
but much smaller compared to Y. It is actually a slice with width A;^ 1 ) (R will have size ^(log k)). 
Since in the analysis we fix W, Y3 is a deterministic function of Y, and the random row of I3 still 
has a lot of entropy left conditioned on the fixings of the transcript. Therefore we can apply the 
strong seeded extractor to Y3 and R, and the above analysis about Bob obtaining private random 
bits still holds. 

By symmetry Alice can also take a slice A3 of SR X and apply a strong seeded extractor to 
A3 and R, and the above argument would also work for Alice. Therefore now Bob can use the 
authentication protocol to send R to Alice, and Alice applies the extractor to A3 and R. By the 
same discussion above Eve may be able to change only a small probability mass of R, and this 
doesn't hurt us much. Thus at the end of the protocol Alice and Bob end up with nearly private 
and uniform random bits, while their shared secret W still has a lot of entropy left. Thus we have 
reduced the problem to the case where Alice and Bob have access to local uniform random bits, and 
previous results can be used to construct a privacy amplification protocol. However since we only 
manage to send f2(log/c) bits from Alice to Bob, the error of the extractor and thus the security 
parameter of the protocol is f2(log k). 

2 Roadmap 

The rest of the paper is organized as follows. In Section 3 we give the preliminaries and previous 
works that we use. In Section 4 we briefly describe the error correcting code that we use for edit 
errors, as in [CKOR10]. Section 5 gives the formal description of our protocol to achieve the optimal 
number of local random bits, and the analysis of the protocol. Section 6 gives our protocols for 
privacy amplification with local weak random sources, and the analysis of these protocols. We 
conclude in Section 7 with some open problems. Finally in Appendix A we outline a proof sketch 
of Theorem 3.10, which has slight differences in parameters from the theorem in [BRSW06]. 

3 Preliminaries 

We use common notations such as o for concatenation and [n] for {1, 2, • • • , n}. All logarithms are 
to the base 2. We often use capital letters for random variables and corresponding small letters for 
their instantiations. 

3.1 Basic Definitions 

Definition 3.1 (statistical distance). Let D and F be two distributions on a set S. Their statis- 
tical distance is 

\D - F\ de J max(\D(T) - F(T)\) = I £ \D(s) - F(s)\ 
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If \D — F\ < e we say that D is e-close to F. 

Definition 3.2. The min-entropy of a random variable X is defined as 

Hoo(X) = min xesupp (x){-log 2 'Pr[X = x]}. 

We say X is an (n, fc)-source if X is a random variable on {0, l} n and -ffoo(X) > k. When n is 
understood from the context we simply say that X is a ^-source. 

3.2 Somewhere Random Sources, Extractors and Condensers 

Definition 3.3 (Somewhere Random sources). A source X = (X±,--- ,Xt) is (r, t) somewhere- 
random (SR-source for short) if each takes values in {0, l} r and there is an i such that X^ is 
uniformly distributed. 

Definition 3.4. An elementary somewhere-k-source is a vector of sources (X\, ■ ■ ■ ,Xt), such that 
some Xi is a /c-source. A somewhere fc-source is a convex combination of elementary somewhere-k- 
sources. 

Definition 3.5. A function C : {0, l} n x {0, l} d -> {0, l} m is a (k — > I, e)-condenser if for every 
fe-source X, C(X, Ud) is e-close to some /-source. When convenient, we call C a rate-(/c/n — > l/m, e)- 
condenser. 

Definition 3.6. A function C : {0, l} n x {0, l} d -»• {0, l} m is a (A; —7- /, e)-somewhere-condenser 
if for every fc-source X, the vector (C(X, y) 2/S {o is e-close to a somewhere-l-source. When 
convenient, we call C a rate-(A;/n — > l/m, e)-somewhere-condenser. 

Definition 3.7. A function Ext : {0, l} n x {0, l} d -)■ {0, l} m is a strong seeded extractor for 
min-entropy and error e if for every min-entropy k source X, 

\(Ext(X,R),R)-(U m ,R)\ <e, 

where i? is the uniform distribution on d bits independent of X, and C/ m is the uniform distribution 
on m bits independent of R. 

Definition 3.8. A function TExt : {0, l} ni x {0, l}" 2 — > {0, l} m is a strong two source extractor 
for min-entropy k\, k 2 and error e if for every independent (m, k\) source X and (n 2 , k 2 ) source Y, 

\(JExt(X,Y),X)-(U m ,X)\ <e 

and 

\(JExt(X,Y),Y)-(U m ,Y)\ <e, 
where C/ m is the uniform distribution on m bits independent of (X, Y). 
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3.3 Previous Work that We Use 

We are going to use condensers recently constructed based on the sum-product theorem. The 
following construction is due to Zuckerman [Zuc07]. 

Theorem 3.9 ([Zuc07]). For any constant f3, S > 0, there is an efficient family of rate-(5 — > 1 — 
/3,e = 2 _n ( n )) -somewhere condensers Zuc : {0, l} n —> ({0, l} m ) D where D = 0(1) and m = fi(ra). 

The following theorem is adapted from [BRSW06]. 

Theorem 3.10 (General Source vs Somewhere random source with few rows Extractor [BRSW06]). 
For every n,k(n) with k > log 10 n, and constant D > 1, there is a polynomial time computable 
function SRGExt : {0, l} n x {0, l} Dk —?■ {0, l} m s.t. if X is an (n,k) source and Y is a (D x k) 
-SR-source, 

|(F,SRGExt(X,y))-(y,C/ m )| <e 

and 

|(X,SRGExt(X,Y))-(X,*7 m )| < e, 
where U m is independent of X,Y, m = £l(k) and e = 2~^( fc ). 

Note that the parameters here are slightly different from the statement in [BRSW06]. For a 
proof sketch see the Appendix A. 

Theorem 3.11 ([Raz05]). For any nx, n 2 , k±, &2, m and any < 5 < 1/2 with 

• ni > 6 log n\ + 2 log n% 

• k\ > (0.5 + 8)n\ + 3 log n\ + log ni 

• fc 2 > 51og(ni - ki) 

• m < 5 min[rai/8, /C2/40] — 1 

There is a polynomial time computable strong 2-source extractor Raz : {0, l}™ 1 x {0, l}™ 2 — > 
{0, l} m for min-entropy k\, k2 with error 2~ 1,5m . 

For a strong seeded extractor with optimal parameters, we use the following extractor con- 
structed in [GUV07]. 

Theorem 3.12 ([GUV07]). For every constant a > 0, and all positive integers n,k and e > 
exp(-n/2°( lo s* n )), there is an explicit construction of a strong (k, e) extractor Ext : {0, 1}™ x 
{0, l} d -> {0, l} m with d = 0(logn + log(l/e)) and m > (1 - a)k. 

We need the following simple lemma about statistical distance. 

Lemma 3.13. Assume we have 3 random variables X\,Yi,Y2 such that |Y"i — Y2I < e. Then there 
exists a random variable X2 with the same support of X\, such that 

\(X lt Yi) - (X 2 ,Y 2 )\ <e. 
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Proof. We construct the random variable X2 and the distribution {X.2,Y 2 ) as follows. For any y, 
consider Pr[Yj = y], Pr[l2 = y\ an d the distribution {X\, Y\ = y). Let 5 = Pr[Yi = y] — Pr[l2 = y]- 
If 5 > 0, then we do the following: 

1. Define an arbitrary order on the set of the support of X\. 

2. While 5 > 0, pick a new x from the support according to the above order and let p = Pr[Xi = 
x,Yi = y\. 

3. Let Pr[X2 = x, Y2 = y] = p — min(p, 8). 

4. Let 5 = 5 — min(p, 5). 

5. When 5 = 0, for all the rest x, let Pr[^2 = x, I2 = v\ = Pr[-X"i = x, Y\ = y\. 
If 5 < 0, then we do the following: 

1. Pick an arbitrary x from the support of X\ and let p = Vi\X\ = x, Y\ = y\. 

2. Let Pr[X 2 = x, Y 2 = y] = p - 5. 

3. For all the other x in the support of X\, let Pr[X 2 = x, Y 2 = y] = P r [^"i = x, Y\ = y\. 

It is easy to see that the distribution (X2,Y 2 ) has marginal distribution Y2 and |(Xi,Y"i) — 



We are going to use the following standard lemma about conditional min-entropy. 

Lemma 3.14 ([MW97]). Let X and Y be random variables and lety denote the range ofY. Then 
for all e > 



In [KR09] , it is shown an interactive authentication protocol can be used to construct a privacy 
amplification protocol. Specifically, we have the following theorem. 

Theorem 3.15 ([KR09]). Suppose there exists an efficient (k,£) interactive authentication protocol 
for messages of length G(£ + logn), then there exits an efficient (k,Xk,2~ e ,e) privacy amplification 
protocol. 

4 Edit Distance Codes 

We are going to use a family of codes designed for edit distance errors, as in [CKOR10]. We have 
the following definitions. 

Definition 4.1. [CKOR10] For any two strings c and d of length A c , let EditDis(c, d) denote the 
edit distance between c and d, i.e., the number of single-bit insert and delete operations required 
to change string c into d. 



(X 2 ,Y 2 )\ = \Yi-Y 2 \<e. 



□ 
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Definition 4.2. [CKOR10] Let m G {0, l} Am . For some constant < e < 1, a function Edit : 
{0, l} Am — y {0, l} Ac is a (A m , e, p)-error-detecting code for edit errors, if p\ c = X m and the following 
properties are satisfied: 

• c = Edit(m) can be computed in polynomial (in A m ) time, given m, for all m G {0, l} Am . 

• For any m,m' G {0, l} Am with m ^ m', EditDis(c, d) > eA c , where c = Edit(m) and d = 
Edit(m'). 

p = ^ is called the rate of the code. 

As in [CKOR10] the code we use is due to Schulman and Zuckerman [SZ99]: 

Theorem 4.3 ([SZ99, CKOR10]). Let < e < 1 be a constant. Then for some constant < p < 1 
there exists a (A m , e, p)- error- detecting code for edit errors. Moreover, each codeword has the same 
Hamming weight (the number of l's). 

5 Reducing the Number of Local Radom Bits 

In this section we show how we can reduce the number of local random bits used. First we give 
a new authentication protocol, that can be used to authenticate a short message. In this protocol 
Alice and Bob only announce a fresh random string to each other at the beginning. We need the 
following definition. 

Definition 5.1. Given a n bit string r = T\ ■ ■ ■ r n , define Pre(r, s) to be the prefix of r of length s. 
Define qa : b] to be the substring r a ■ ■ ■ rj, of r. Let wt(r) stand for the weight of r, i.e., the number 
of l's in r. 

Now we have the following protocol. 
Protocol SAuth(u), m,t): 

• Alice and Bob share an n-bit secret random string w with min-entropy k. 

• Alice wishes to authenticate a t-bit string m = mi ■ ■ ■ mt to Bob. 

• Let Ext be a strong extractor as in Theorem 3.12, set up to use 0(t) bits to extract 2 3l t bits 
that are 2 _fi W-close to uniform. 

• Let c > 1 be some integer. Define three set of integers as Cu = 2 3l ~ 2 t, C21 = 2 3l ~ 1 t, C-a = 2 3l t, 
where i = 1, • • ■ , t. 

1. Alice sends Bob a fresh random seed x, and Bob sends Alice a fresh random seed y. 

2. Alice receives y and computes r y = Ext(w,y); Bob receives x and computes r x = Ext(w,x). 

3. For i = 1 to t do the following 

Step a : If mi = 0, Alice sends (0, Pre(r y , Cu)) to Bob. Otherwise she sends (1, Pre(r y , C^)) 
to Bob. 
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Step b : Bob receives the message and verifies Pre(r y ,Cu) = Pre(Ext(w,y),Cu) in the 
case and Pre(r y ,C2i) = Pre(Ext(u>, y), C2i) in the 1 case. If the verification does not go 
through, abort. Bob then sends Pre(r x ,C3j) to Alice. 

Step c : Alice receives the message and verifies Pr&{r x ,C^i) = Pre(Ext(u;, x), C%i). 

Now we want a protocol that can authenticate a long message, say a message with £ bits. We 
assume that the number of l's in the message is known to Bob. We have the following protocol, 
where Alice and Bob execute protocol SAuth for £/t times and each time Alice authenticates t bits 
to Bob. 

Protocol Auth(ui, m, t): 

• Alice and Bob share an n-bit secret random string w with min-entropy k. 

• Alice wishes to authenticate an £-bit string m = mi ■ ■ ■ ni£ to Bob. 

1. For j = 1 to £/t do 

Alice and Bob execute protocol SAuth(io,mr(,-_i)t+iyfl,i). 

2. When received £ bits, Bob verifies that the number of ones in the message is wt(m). Abort 
otherwise. 

Now we can describe our final protocol. 
Protocol NAuth(«;, m): 

• Alice and Bob share an n-bit secret random string w with min-entropy k. 

• Alice wishes to authenticate an £-bit string m = mi ■ ■ ■ ni£ to Bob. 

• Let Edit(m) stand for the edit distance encoding of the string m, as in Theorem 4.3. 

• Let t > be some integer parameter to be chosen later. 

1. Alice sends Bob the message m. Let m! denote the message received by Bob. 

2. Alice and Bob execute protocol Auth(ui, s, t) where s = Edit(m). 

3. Let s' stand for the string received by Bob. Bob computes Edit(m'). If s' = Edit(m'), Bob 
accepts m! as the received message. Otherwise, Bob rejects and aborts. 

5.1 Analysis of the protocol 

Let D denote the edit distance between Edit(m) and Edit(m'), where the operations are insertion 
and deletion, as in Theorem 4.3. Let D' denote the number of insertions, deletions and changing 
bits from to 1 that Eve has to make to change Edit(m) to Edit(m'). We have the following claim. 

Claim 5.2. D' > 25/4. 
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Proof of the cliam. Since the operations that Eve can do include insertion, deletion and changing 
bits, we first consider the edit distance under these operations. Let D denote the edit distance 
between Edit(m) and Edit(m'), under insertion, deletion and changing bits (0 to 1 and 1 to 0). 
Since every operation of changing bits can be replaced by two operations of insertion and deletion 
(e.g., deleting a "0" and inserting a "1"), we have 

D > D/2. 

Let Pq stand for the operation of changing to 1, let P\ stand for the operation of changing 1 
to 0, and let Pi stand for the operation of insertion or deletion. Let uq denote the number of Pq 
operations Eve made, let n\ denote the number of Pi operations Eve made, and let n 2 denote the 
number of P2 operations Eve made. 

Now consider the sequence of operations that Eve made. It is a sequence of Pq, Pi and P2. 
Note that the number of l's in Edit(m) and Edit(m') are the same. However if Eve makes hq Pq 
operations and n\ P\ operations, then there will be n\ — uq more O's in Edit(m / ). These O's must 
be changed back to l's by insertion and deletion. Since changing a bit must take one deletion and 
one insertion, we have 

n 2 > 2(ni - uq). 
Also by the definition of edit distance we have 

^0 + n i + n 2 > D. 

Thus we have 

D' = n 2 + n > 3n 2 /4 + {n x - n )/2 + n > (n + m + n 2 )/2 > D/2 > D/4, 

□ 

We now need the following two definitions. 

Definition 5.3. (Challenge) We say that Eve has to answer a challenge if the following happens: 
Conditioned on the fixing of some random variable V, the information that Eve is left with (from 
the strings revealed by Alice and Bob) has I bits, and now Eve has to come up with a (close to ) 
uniform random string with at least I + 2t bits to avoid detection. 

Definition 5.4. (Phases) In Alice or Bob's view, a phase is the period of one execution of Protocol 
SAuth(u;, m, t). In Eve's view of the protocol, a phase is defined as the rounds from the round 
where either Alice or Bob starts a new phase (announces a fresh random seed) to the round before 
the next round where either Alice or Bob starts a new phase. In Eve's view, we say a phase is a 
bad phase if it contains an operation of insertion, deletion or changing a bit from to 1. We say a 
phase is a challenge phase if in that phase Eve has to answer at lease one challenge. 

Now we have the following lemma. 

Lemma 5.5. In any two adjacent bad phases, at least one of them is a challenge phase. 
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Proof. Here for the purpose of clear statements we shall use words like "w.h.p." and "close to 
uniform" . We'll deal with probability errors in the proof of the main theorem. 

Let's consider the first bad phase. It starts with a round where either Alice or Bob announces 
a fresh random seed. Suppose Alice announces a fresh random seed X. This means that in Alice's 
view, she is starting a new phase. Now consider Bob. There are two cases. 

Case 1: Bob is also starting a new phase. Thus Bob also announces a fresh random seed Y . 
Now we can fix all previous seeds announced by Alice and Bob and X and Y are still uniform and 
independent. Now after this fixing all previous strings revealed by Alice and Bob are deterministic 
functions of w. Therefore we can further fix all these strings and conditioned on these fixings w.h.p. 
W still has a lot of min-entropy left (we choose parameters that guarantee this happens). Thus 
(Ext(W, X), Ext(W, Y) is close to uniform, even conditioned on (X, Y) by Theorem 3.12. In this 
case we claim that the first operation of insertion, deletion or changing a bit from to 1 will result 
in Eve's answering for a challenge. 

To see this, note that before such an operation, the round numbers of this phase in Alice's and 
Bob's view are the same. Let i be the round in which the first such operation takes place. Note 
that we have fixed all strings in previous phases. 

• If the operation is an insertion, then Eve has to at least come up with Pre(Ext(W, Y), Cu), 
which has 2 3l ~ 2 t bits. If i = 1 then this is 2t bits and Eve has no other information about it. 
If i > 1 then Eve has at most 6*2(1-1) + CWi-i) = 3Cij/4 bits. Thus 

C u - SCu/4 = 2 3i ~ 2 t/4 > 2t. 

• If the operation is a deletion, then Eve has to at least come up with Pre(Ext(W, X), C 3 i), 
which has 2 3t t bits. Meanwhile Eve has at most C 2 i + C^i-i) < 3C3j/4 bits of information. 
Thus 

C 3i - 3C 3l /A = 2 3i t/4 > 2t. 

• If the operation is changing a bit from to 1, then Eve has to come up with Pre(Ext(IV, Y), C 2 i), 
which has 2 3l ~ 1 t bits. If i = 1 then Eve has at most Cu = C 2 i/2 bits of information. Thus 

C 2i - C 2i /2 = 2 3l ~H/2 > 2t. 
If i > 1 then Eve has at most Cu + C-^^ = 3C2i/4 bits of information. Thus 

C 2i - 3C 2i /4: = 2 3i ~ H/4 > 2t. 
Thus in this case the first bad phase is a challenge phase. 

Case 2: Bob is in the middle of an old phase. In this case we claim that the only operation 
that Eve can make to avoid a challenge is the insertion operation. 

To see this, consider all the strings that are revealed by Bob, and the strings that are going 
to be revealed by Bob until Bob enters a new phase. Except the random seeds that Bob have 
announced, these strings are all substrings of Ext(W, X 1 ), where X' is a deterministic function of 
strings revealed before X is revealed. In other words, Eve cannot change X' while Bob is in the 
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middle of a phase. Therefore X is completely independent of all these strings. Thus we can fix all 
the strings (including the strings that Bob are going to reveal before he enters a new phase) and 
w.h.p. W still has a lot of min-entropy left. Thus Ext(W, X) is close to uniform conditioned on all 
these fixings and the fixing of X. 

Now if Eve is ever going to make a deletion, or changing a bit, then he has to come up with 
Pre (Ext (VI 7 , X), C%i) as Bob's response, which has C-a bits. Meanwhile Eve has at most C<n = C^i/2 
bits of information (since strings from Bob are fixed). Thus 

Cm - C M /2 = 2 3 H/2 > 2t, 

and this operation will be a challenge for Eve. 

If so then again the first bad phase is a challenge phase. Otherwise the only thing Eve can do 
is to keep inserting until Bob enters a new phase. Now In Eve's view also a new phase begins, 
and it is a phase where Alice and Bob starts a new phase simultaneously (since inserting does not 
change the round number in Alice's view). Thus until the next bad phase Alice and Bob will always 
have the same round number during a phase, and the next bad phase will be a phase of Case 1. 
Therefore in this case the next bad phase will be a challenge phase. 

The case where a new phase in Eve's view starts by Bob entering a new phase is similar and 
symmetric, we thus omit the details here. □ 

Now suppose in the protocol the code Edit(m) has length I. By the property of the code there 
exists a constant a > s.t. the edit distance between Edit(m) and Edit(m') is D > ai. 
We have the following theorem. 

Theorem 5.6. For all positive integers n and I = f2(logn), assume that Alice and Bob share an 
(n, k) weak random source W with k > 10 • 2 3 H. Then Alice can authenticate I bits of message to 
Bob by using Protocol NAuth(w,m). The probability that Eve can successfully change the message 
to a different string is at most 2~ n ^ and the total number of random bits that Alice and Bob use 
is 0{t). 

Proof. The total number of bits that Alice and Bob reveal during the protocol is at most 2-2 3t t-£/t = 
2 • 2 3t l. At each phase j in Eve's view, where Alice or Bob uses a new chunk of fresh random bits, 
let BjQ stand for the event that conditioned on the fixings of all the strings that Alice and Bob 
have revealed, the min-entropy of W left is less than 6 • 2 3t l. Let Bq stand for the event that there 
exists a j s.t. Bjq happens. Thus by Lemma 3.14, we have 

Pr[B i0 ]<2- 2 - 2 ^,Vj. 

By the union bound, 

Pr[fi ] < 2t2- 2 2iH . 

Now in the event that Bq does not happen, at every phase j the min-entropy of w conditioned 
on the strings that Alice and Bob have revealed is at least G-2 3t £. Therefore the output of Ext(VF, X) 
or Ext(W, Y) is 2~^W-close to uniform even conditioned on X, Y by Theorem 3.12. 

Let G denote the set of all challenge phases in Eve's view, i.e., G = {j: Phase j is a challenge 
phase for Eve}. Note that a phase in Eve's view contains at most 2t rounds, because each round 
either Alice or Bob's round number will increase by 1. Thus by Claim 5.2 there are at least 
D'/2t > D/8t bad phases. Now by Lemma 5.5 we have 
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1 1 - 16t ~ 16 t 

Let E denote the event that Eve successfully answered all the challenges. We want to bound 
Pr[£7] from above. 

First let's consider Pr[£?|5o], where Bq denotes the event that Bq does not happen. Let Ej 
stand for the event that Eve successfully answered all the challenges in phase j, given all the strings 
revealed at this time by Alice and Bob and the event -Bo- Thus 

Pr[E\B ] = Uf^ Pr^-K^ :l<v<j-l,B }]. 

We bound the term Pr[Ej\{E v : 1 < v < j — I}, Bo] in two cases. First, if j ^ G, we simply 
bound the probability by 1. Second, we bound the probability when j G G. 

In this case, since Bq does not happen, conditioned on the fixings of all the previous stings 
Alice and Bob revealed (and thus all the events {E v : 1 < v < j — 1}), W has min-entropy at least 
6 • 2 3t £ and either Ext(W, X) or Ext(VF, Y) is 2 - ^*) -close to uniform conditioned on the fixings of 
all previous strings and X, Y. Since this is a challenge phase, Eve has to come up with a substring 
of Ext(W,X) or Ext(W,Y). Now let the unfixed strings revealed by Alice and Bob be s r and let 
the string that Eve tries to come up with be s c . Then by the definition of a challenge phase 
\s c \ > \s r \ + 2i and S c is 2 _ ^0-close to uniform conditioned on all the fixings. We need to bound 
the probability of Pr[A(S r ) = S c ], where A is any (deterministic) algorithm. 

We first consider the case where S c is truly uniform. Now by Lemma 3.14, 

Pr [H^iScKSr = s r )) > \s c \ - \s r \ - t] > 1 - 2"*. 

That is, 

Pr [HooiScKSr = s r )) > t] > 1 - 2~*. 

Thus 

PrL4(SV) = 5c] < T l + (1 - 2~*) • < 2~ m . 
Now since S c is 2~^^ -close to uniform, we have 

Pr[A(S r ) = S c ] < 2~ t+1 + 2~ a ® = 2~ n ^. 

Thus we have Pr[Ej\{E v : 1 < v < j - 1}, B ] < 2~ n ^ when j G G. 
Therefore 

Pt[E\B ] < (2^W)I G I = (2^W)t-f = 2 - Q W. 

Thus 

Pi[E] < Pr[B ] + Pr[^|Bo] < 2t2~ 2 - 2AH + 2~ n ^ = 2~ n ^ . 

The total number of random bits that Alice and Bob use is 0(t) ■ Ijt = Oil). The entropy loss 
of W is at most 2 • 2 3t £. U 
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Note that in order for the extractor from Theorem 3.12 to work, we need 0(t) > logn. On the 
other hand we need the entropy of W to be k > 10 • 2 3t £. Since k cannot be bigger than n, we need 
t = O(logn). Thus we can set t = O(logra) such that 2 3 * = n 1 for any < 7 < 1. 

In the above analysis we focused on the case where £ = J) (log n). In the case where £ = o(log n), 
since Alice needs to authenticate Q(£ + \ogn) bits to Bob, we can treat it as if £ = f2(logn) and we 
get a better security parameter. Thus we have the following theorem. 

Theorem 5.7. For all positive integers n,£ and every < 7 < /3 < 1, assume that Alice and 
Bob share an (n,k) weak random source W with k > tV 3 . Then there exists an efficient (k,£) 
interactive authentication protocol such that Alice can authenticate 0(£ + logn) bits of message to 
Bob. The total random bits that Alice and Bob use is 0(£ + logn). The entropy loss of the protocol 
is n 1 ^ + logn). 

Using the method to convert an authentication protocol to a privacy amplification protocol in 
[KR09], Theorem 3.15, we obtain Theorem 1.3. 

6 Using Local Weak Ransom Sources 

In this section we show how the problem of privacy amplification can be solved when Alice and 
Bob each only has a local weak random source, instead of truly random bits. As usual we assume 
that Alice and Bob's weak random sources are independent of each other and independent of the 
shared weak random source. 

6.1 Non Constructive Results 

First we show that non-constructively, this can be done. In fact, we can essentially reduce the 
problem to the case where Alice and Bob have local random bits. First we have the following 
theorem, that can be easily proved by the probabilistic method: 

Theorem 6.1. (Two source extractor) For all positive integers n,k such that k > logn, there exists 
a function TExt : {0, l} n x {0, l} n -> {0, l} m and < e < 1 such that m = Q(k), e = 2~ n ^ and if 
X,Y are two independent (n,k)- sources, then 

\(X,TExt(X,Y)) - (X,U m )\ < e 

and 

\(Y,JExt(X,Y))-(Y,U m )\<e 

Now we have the following protocol. 
Protocol NExtract(x, y, w): 

• Alice has a weak random source X, Bob has an independent weak random source Y, and 
they share an independent weak random source W. All these sources have min-entropy 
k > polylog(n). 

• Let TExt be the strong two source extractor from Theorem 6.1. 

1. Alice and Bob each applies TExt to his or her own source and W. 
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2. Alice obtains S x = TExt(X, W) and Bob obtains S y = TExt(Y, W), each outputting Q(k) 
bits. 

Now we have the following theorem. 
Theorem 6.2. 

\(S x ,Sy,W) ~ (U x ,Uy,W)\ < 2~^ k \ 

where here (U x ,U y ) is the uniform distribution independent ofW. 

Proof. By Theorem 6.1 and a standard averaging argument, with probability 1 — y/e over the fixings 
of W, S x is -y/e-close to uniform, where e = 2~^ k \ Similarly, with probability 1 — -y/e over the 
fixings of W, S y is -y/e-close to uniform. Thus with probability 1 — 2\J~e over the fixings of W, both 
S x and S y are -y/e-close to uniform. Note that after fixing W, S x is a function of X and S y is a 
function of Y . Thus they are independent. Therefore with probability 1 — 2-^/e over the fixings of 
W, (S x ,S y ) is 2-y/e-close to uniform. Thus we have 

\(S X ,Sy, W) - (U X , Uy, W)\ < 2~ C ( fc ). 

■ 

Now all we need to do is to plug in the non-explicit optimal privacy amplification in [DW09] to 
obtain Theorem 1.5. 

6.2 Weak random sources with entropy rate > 1/2 

Now we study a simple case where Alice and Bob's weak random sources have entropy rate > 1/2. 
In this case, we show that we can also reduce the problem to the case where Alice and Bob have 
local random bits. The reason is that we have strong two-source extractors for such sources, namely 
Raz's extractor from Theorem 3.11. 

First we have the following protocol. 

Protocol ExtractH(x, y, w): 

• Alice has a weak random source X, Bob has an independent weak random source Y, and they 
share an independent weak random source W. Both X and Y have min-entropy (1/2 + 5)n 
and W has min-entropy k > polylog(n). 

• Let Raz be the strong two source extractor from Theorem 3.11. 

1. Alice and Bob each applies Raz to his or her own source and W. 

2. Alice obtains S x = Raz(X, W) and Bob obtains S y = Raz(Y, W), each outputting Cl(k) bits. 
Now we have the following theorem. 

Theorem 6.3. 

\(S X ,Sy,W)-(U X ,Uy,W)\<2- n ^, 

where here (U x ,U y ) is the uniform distribution independent ofW. 

Proof. Essentially repeat the proof in the previous section. ■ 

Again, all we need to do now is to plug in any privacy amplification protocol in [RW03, KR09, 
DW09, CKOR10] to obtain Theorem 1.6. 
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6.3 Weak random sources with linear min-entropy 

In this section we relax the assumption and only require Alice and Bob have weak random sources 
with arbitrarily linear min-entropy. More specifically, we assume that Alice and Bob each has a 
local (n, 8n) source for some constant < 5 < 1. We assume the shared source is an (n, k) source 
with k > polylog(n). Actually we can also deal with the case where the shared source has linear 
min-entropy but the local weak sources only have poly logarithmic entropy. This case is quite 
similar, and thus omitted. 

6.3.1 The protocol 

Here we give a protocol for Alice and Bob to extract private local random bits. That is, in the 
end of the protocol, both Alice and Bob obtain local random bits that are close to uniform and 
independent of the shared weak random source, even in Eve's view. Moreover the shared weak 
source still has most of its entropy left. 

We need the following definition about the slice of a concatenation of strings. 

Definition 6.4. [Rao09] Given t strings of length n, x = x±, ■ ■ ■ ,x#, define Slice(x,s) to be the 
string x' = x'i, ■ ■ ■ ,x' e such that for each i x[ is the prefix of Xi of length s. 

Now we can describe our protocol. In this protocol when a party is authenticating a message 
to the other party, we do not use the error correcting code. Instead, we just convert the message 
to a string with a fixed number of l's. One simple way to do this is map each bit to 01 and map 
each bit 1 to 10. Thus the number of l's in the authenticated message is known to both parties 
before they execute the protocol. 

Protocol Extract(x, y, w): 

• Alice has a weak random source X, Bob has an independent weak random source Y, and 
they share an independent weak random source W. Both X and Y have min-entropy 5n and 
W has min-entropy k > polylog(n). 

• Let Zuc be the somewhere condenser from Theorem 3.9. 

• Let Raz be the strong two source extractor from Theorem 3.11. 

• Let SRGExt be the two source extractor from Theorem 3.10. 

• Let Ext be a strong extractor as in Theorem 3.12. 

• Let < 7 < 1 be some constant. 

1. Alice uses Zuc to convert X into a somewhere rate-. 9 source X, with D rows for some constant 
D > 1. Similarly Bob also converts Y into a somewhere rate-. 9 source Y with D rows. 

2. Alice applies Raz to each row of X and W and obtains a somewhere random source SR X , 
with each row outputting k 1 bits. Similarly Bob also applies Raz to each row of Y and W 
and obtains a somewhere random source SR y , with each row outputting A; 7 bits. 

3. Alice produces 3 strings: X\ = S\\ce(SR x , clog n), X2 = S\\ce(SR x , fi log k) and A3 = 
S\\ce(SR x , k@) for some parameters c > 1, < // < 1 and < /3 < 1 to be chosen 
later. Bob also produces 3 strings: Y\ = Slice(5/2 y , clog n), Y2 = S\\ce(SR y , filogk) and 
y 3 = Slice(5i^,^). 
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4. Alice announces x\ to Bob and Bob announces y\ to Alice. Alice then computes r y = 
Ext(w,j/i) and Bob computes r x = Ext(io,xi), where the function Ext is applied to w and 
each row of xi,yi, and each output string has length /c 7 . 

5. Alice converts x<i to a string m x with a fixed number of l's. Let the length of the string be t 
(note t = O(logfc)). Alice then authenticates m x to Bob by doing the following: 

6. Define three set of integers as Cu = (4Z)) 3 * _2 clog n, C21 = (4L>) 3i_1 clogn, C^i = (4D) 3i clog n, 
where i = 1, • • ■ ,2t. 

7. For i = 1 to t do (authenticate x% to Bob): 

• If m x i = 0, Alice sends (0, Slice(r y , Cu)). Otherwise she sends (1, Slice(r y , C2i))- 

• Bob receives the message and verifies S\\ce(r y ,Cu) = Slice(Ext(u>, yi), Cu) in the case 
and S\\ce(r y ,C2i) = Slice(Ext(u>, yi), C*2i) in the 1 case. If the verification does not go 
through, abort. Bob then sends Slice(r x , C&) to Alice. 

• Alice receives the message and verifies Slice(r x , C%j) = Slice(Ext(io, x\), C^i). 

8. When received t bits, Bob verifies that the number of ones in the received string is vjt(m x ); 
aborts otherwise. Bob recovers X2 from m x . 

9. Bob computes r% = SRGExt(?/2, ^2), outputting J7(logfc) bits. Bob then computes s y = 
Ext(ys,r^), outputting bits. 

10. Bob converts r% to a string m y with a fixed number of l's. The length of the string is t'. Bob 
then authenticates m y to Alice by doing the following: 

11. For i = t + 1 to t + 1' do (authenticate r% to Alice): 

• If m y a_ t \ = 0, Bob sends (0,S\\ce(r x ,Cii)). Otherwise he sends (1, Slice(r a; , CW)). 

• Alice receives the message and verifies Slice(r x , Cu) = Slice(Ext(u>, xi), Cu) in the case 
and S\\ce(r x ,C2i) = SI ice (Ext (to, x\), C21) in the 1 case. If the verification does not go 
through, abort. Alice then sends Slice^, C3j) to Bob. 

• Bob receives the message and verifies Slice(r y , C&) = Slice(Ext(u>, yi), C&). 

12. When received t f bits, Alice verifies that the number of ones in the received string is wt(m 3/ ); 
aborts otherwise. Alice recovers r% from m y . 

13. Alice computes s x = Ext(x3,r3), outputting bits. 



6.3.2 Analysis of the protocol 

We claim that S x and S y can now be treated as local private random bits of Alice and Bob. That 
is , they are close to being independent and uniform and independent of W, even in Eve's view. 
Specifically, we have the following theorem. 
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Theorem 6.5. Let V denote the transcript of the whole protocol in Eve's view. Then if S x t^_L 
and Sy (the protocol doesn't abort), we have 

\{S X , S y , W, V) - (U x , Uy, W,V)\< l/poly(fc), 

where here (U x ,U y ) is the uniform distribution independent of (W, V). Moreover, with probability 
1 — 2 _fcn<1) over the fixings ofV = v, W has min-entropy k — k^\ 

Proof. Without loss of generality assume that the first row of X and the first row of Y have entropy 
rate 0.9. Let the two rows be Xi and Y\. Thus by Theorem 3.11 we have 

\(SR xl ,W)-(U x ,W)\ = 2- n W 

and 

\(SR yl ,W)-(Uy,W)\ = 2- Q( - k \ 

where SR x i and SR y \ stand for the first rows of SR X and SR y respectively. Since conditioned on 
any fixing of W = w, SR X ± and SR y i are functions of X and Y and are thus independent, we have 

\(SR xl ,SR yl ,W)-(U x ,U y ,W)\ = 2-^ k \ (1) 

Note that the length of r$ is less than the length of X2 ■ Thus t' < t and therefore the protocol 
runs for at most 2t = O(logfc) rounds. Also in the protocol Ext(W,Xn) and Ext(W, Yn) output 
at most (4D) 6 *clogn = fc^ 1 ) logn bits. We choose fi s.t. this number is at most k" 1 , thus we have 
enough entropy in W for the outputs. Therefore by Equation 1, 

|(Ext(W,X 11 ),Ext(W,Y u )) - {U' x ,U' y )\ = 2~ n ^ + l/poly(n) = l/poly(n). 

Note that now the random variable that Alice is trying to send to Bob, X2, and the ran- 
dom variables X±, Y\ that have already been revealed, may not be (close to) independent of 
(Ext(W, X11), Ext(W, Y11)). We first show in this case the probability that Eve can successfully 
change a string xi to a different string is small. To show this, we have the following lemma. 

Lemma 6.6. Assume that (Ext(W,Xn), Ext(W,Yn)) is e^-close to uniform. Let X\ and Y\ be as 
in the protocol. Let M be any random variable with at most Dlogn bits and Alice uses the protocol 
to authenticate M to Bob. Then the probability that Eve can successfully change a string m to a 
different string is bounded above by l/poly(n) + eo, where the probability is over M and the random 
variables used to transfer M. 

Proof. Let R x = Ext(W, X\), R y = ExtiW, Y\) and R x \, R y \ be the first rows of R x , R y respectively. 
Thus R x \ = Ext{W,X\i) and R y \ = Ext(W,Yu). Let R x and R y be the actual random variables 
computed by Bob and Alice respectively. We want to deal with the ideal case where R x \,R y \ is 
uniform instead of eo-close to uniform. Note that (M , X\,Y\, R x , R y , R x , R y ) are all the random 
variables used by Alice to authenticate M to Bob. Thus by Lemma 3.13 we first construct another 
distribution (M', X[ , Y{, R' x , R' y , R' x , R' y , R' xl , R' yl ) where (R' xl ,R' yl ) is uniform and 

|(M, Xx,Yi, R x , R y , R x , R y , R x i,R y i) — (M', X[,Y(, R' x , R y , R x , R y , R' xl ,R yl )\ < e . 
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From now on we will continue the discussion as if (M, X\, Y\, R x , Ry, R x , R y , R x i,Ryi) = 
(M', X[,Y[, R' x , R' y , R' x , R' y , R' xl ,R' yl ). We can do this because in the analysis all we use are the sizes 
of M' , X[,Y{, R' x , R' y , R' x , R'y, R 1 xl ,R 1 yl , which are the same for those of M', X[,Y{, R' x , R' y , R' x , R' y , R~' xl , 
by Lemma 3.13. Thus the success probability of Eve can only differ by at most eo- 

Now note that the length of m is at most Dlogn. Thus by Lemma 3.14 we have 

Pr[fT 00 (Ext(W J Xn)|Af = m)> (AD) 61 clog n - Dlogn - Dlogn] > 1 - 2~ Dlogn . 
That is, 

Pr[i? 00 (Ext(VF,Xn)|M = m) > (4D) 6 'clogn - 2Dlogn] > 1 - l/poly(n). 
Similarly 

Pr[iJ 00 (Ext(VF,yn)|M = m)> (4D) 6 *clogn - 2Dlogn] > 1 - l/poly(n). 

We show that when m is a string s.t. both (Ext(W / , Xn)\M = m) and (Ext(IV, Y"n)|M = m) have 
min-entropy at least (4D) 6 *clog n — 2D log n, the success probability that Eve can change m without 
being detected is l/poly(n). By the union bound this happens with probability 1 — l/poly(n). 

To see this, we first prove the following lemma. 

Lemma 6.7. In order to change m to a different string, Eve has to come up with at least one 
challenge. 

Proof. To change m to a different string, Eve must take a series of operations. We consider two 
cases. 

• Case 1: The operations that Eve made include insertion or deletion. In this case the first 
such operation must incur a challenge. To see this, let j be the round right before the 
insertion or deletion. Thus at the end of round j, Alice has announced at most a total of 
DC2j + cDlogn = Csj/A + cD log n bits. Similarly Bob has announced at most a total of 
DC%j + cDlogn = Ci(j + i)/4 + cDlogn bits. If it's an insertion, Eve has to come up with at 
least CiQ + ij = (4D)^ +1 clog n random bits to avoid detection, and we see that 



Ci (i+ i) - (C 3i /4 + cD log n) - (Ci (i+ i)/4 + cD log n) - D log n > 4cD log n. 

If it's a deletion, then Alice has announced at most a total of DC2(j+i) +cD log n = C^y+i) /4+ 
cD log ra bits and Bob has announced a total of DC%j + cDlogn = Ci(j +1 )/4 + cDlogn bits. 
Eve has to come up with at least C^j + i^ = (AD)^ +3 clog n random bits to avoid detection, 
and we see that 



Cso+i) - (C 3{j+1) /4 + cDlogn) - (C 1(i+1) /4 + cDlogn) - Dlogn > 4cDlogn. 

• Case 2: The operations that Eve made do not include insertion or deletion. In this case, since 
the number of l's in the message is known to Bob, Eve must make at least one operation of 
changing to 1 and at least one operation of changing 1 to 0. Then the operation of changing 
to 1 will incur a challenge. To see this, let j be the current round(since Eve does not make 
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operations of insertion and deletion, the round number is the same for Alice, Bob and Eve). 
Thus now Alice has announced a total of DC\j + cD log n = C 2 j/A + cD log n bits while Bob 
has announced a total of DC 3 u_i\ + cDlogn = C±j/4 + cD log n bits. Eve has to come up 
with at least C 2 j = (4Z?) 3:? ' _1 clog n random bits to avoid detection, and we see that 

C 2 j - (C 2 j/4 + cD log n) - (Cij/4 + cD log n) - D log n > AcD log n. 



Now let j be the round that Eve has to answer the first challenge. Let Bj stand for the random 
variable of all the strings that have been revealed by Alice and Bob till now, and let If, be the length 
of the string bj. Let Aj denote the random variable that Eve is trying to come up with, and let l a 
be the length of the string a. Thus we have just shown that l a > If, + 4cD log n. 

Since both Ext(W, X\\)\M = m) and Ext(W, Yii)|M = m) have min-entropy at least (4D) 6 *clogra— 
2D log n, A has min-entropy l a — 2D\ogn. Thus by Lemma 3.14, 

Pr[i? 00 (yl| J B = b) > l a - 2D log n - l b - D log n] > 1 - 2~ Dlogn . 

Thus 

Pr[Foo(A|S = b) > Dlogn] > 1 - l/poly(n). 

B 

Therefore the probability that Eve can successfully change the string is bounded from above by 
l/poly(n) + 2" D1 °s n = l/poly(n). 

Thus, going back to the case where (Ext(W, An), Ext(W r , Y\i)) is eo-close to uniform, the success 
probability of Eve is bounded from above by l/poly(n) + eo- ■ 

Thus the success probability of Eve changing x 2 to a different string is bounded from above by 
1 /poly (re) + l/poly(n) = l/poly(n). Note this probability is also over X 2 . By a standard averaging 
argument, with probability 1 — l/poly(n) over X 2 , the success probability of Eve changing x 2 to a 
different string is at most l/poly(n). 

Now Bob obtains a random variable X' 2 . Note that X' 2 is not exactly X 2 since Eve may be 
able to change X 2 for a probability mass of e = l/poly(n). Assume for now that Bob obtains X 2 
instead of X' 2 . Now we fix W = w. Note that after this fixing, X±,X 2 are functions of X and 
Y\,Y 2 are functions of Y. By Theorem 3.11, with probability 1 — 2 -0 ( fe ) over the fixings of W = w, 
X 2 is 2 - ^( fc )-close to being a somewhere random source, and so is Y 2 . Moreover X 2 and Y 2 axe 
independent. Thus by Theorem 3.10, we have that for a typical fixing of W = w, 

\(X 2 ,R 3 )-(X 2 ,U m )\<e 1 (2) 

and 

\(Y 2 ,R 3 )-(Y 2 ,U m )\ <ex, (3) 

where ei = 2~^ fc ) + 2~ n( - l °^^ = l/poly(fc). 

We then further fix Y 2 = y 2 . By Equation 3 with probability 1 — over the fixings of Y 2 = y 2 , 
R3 is -^/ii-close to uniform. Further note that after this fixing R 3 is a deterministic function of X, 
and Y\ is a deterministic function of Y. Thus we can further fix Y\ = y\ and i?3 is still y^-close 
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to uniform. Note that y± has length cD log n and Y3 has min-entropy k@ . Thus by Lemma 3.14 
we have that with probability 1 — l/poly(n) over the fixings of Y\ = 2/1, Y3 has min-entropy 
Thus we have shown that 

[Condition 1] With probability 1 — 2~ n ^ — y/eT — l/poly(n) = 1 — l/poly(fc) over the fixings 
of W = w, Y2 = j/2) Y\ =2/1) R3 is y^-close to uniform, Y3 has min-entropy and R3 and Y3 are 
independent. 

Now let's consider the case where Bob obtains X' 2 instead of A2 and Bob computes R'3 instead 
of R3. Note that Eve can only change a e = l/poly(n) probability mass of A2. For a fixed 
W = w, Y\ = yi (note that 2/2 is a slice of 2/1), let E w>yi denote the event that Eve changes a y/e 
probability mass of A2KI4 7 = w, Y\ = 2/1) ■ By a standard averaging argument we have 

Pr [E wm ] < yfe. 
W,Yi U 

Now consider a typical fixing of W = w, Y\ = y\ where the event E WtVl does not happen and 
Condition 1 holds. This happens with probability 1 — l/poly(/c) — y/e = 1 — l/poly(/s). Note since 
Condition 1 holds, after this fixing R3 and I3 are independent and R3 is a deterministic function 
of X2 (and X). Now Eve can change a probability mass of yfe here, but all strings revealed by 
Bob are fixed and W are fixed. Thus whatever Eve does, the resulting i? 3 is a function of X and 
is still independent of I3. Moreover since Eve can only change a probability mass of y/e, R' 3 is 
y/e± + y/e = l/poly(fe)-close to uniform. Therefore we have shown that 

[Condition 2] With probability 1 — l/poly(/c) over the fixings of W = w, Y2 = 2/2 >^i = Vi, R'3 
is l/poly(A;)-close to uniform, Y3 has min-entropy 0.9Ar and R'3 and Y3 are independent. 

Therefore by the property of the strong extractor Ext, we have 

\(S y ,R' 3 ) -(C/,^)|<l/poly(fc). 

Note that we have fixed W = w, Y2 = 2/2 > Y\ = y\, and we can now further fix R' 3 = r' 3 . After 
this fixing S y is just a function of Y and is independent of X. Thus we have fixed all possible 
information that Eve could know about Y and S y is still close to uniform. Therefore S y can be 
treated as local private random bits of Bob. 

Now again by Lemma 6.6 Bob can authenticate R'3 to Alice such that Eve can only successfully 
change a probability mass of e = l/poly(n) of -R3. Suppose Alice obtains -R3. Now we fix W = w 
and let E w stand for the event that Eve changes a y/e probability mass of X2KW = w). By a 
standard averaging argument we have 

Pj[E w ] < yfe. 
w 

Now for a typical fixing of W = w where both X2 and Y2 are close to a somewhere random 
source and Eve changes less than a y/e probability mass of A2|(V7 = w), X2 is a function of X, Y2 is 
a function of Y and are thus independent. By Equation 2 with probability 1 — y/e~[ over the fixings 
of X2 = X2, R3 is -^/ei-close to uniform. Thus for a further typical fixing of X2 = %2 where X2 is 
not changed by Eve and R3 is close to uniform, i?3(and R'3) is a function of Y and is independent 
of X. Therefore we can further fix X\ = x\ and R' 3 is still close to uniform. Note that x\ has 
length cD log n and A3 has min-entropy k@ . Thus by Lemma 3.14 we have that with probability 
1 — l/poly(n) over the fixings of X\ = xi, A3 has min-entropy 0.9/c^. 
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Now Eve can change a e = l/poly(n) probability mass of R' 3 . Let E W>X2 stand for the event that 
Eve changes a y/e probability mass of .R3KW = u>,X 2 = X2). By a standard averaging argument 
we have 

Pr [E WjX2 ] < v/i. 

Thus for a typical fixing of (W = w,X2 = X2), Eve changes less than \J~e probability mass of 
-RgKVK = w,X2 = X2). Since now all strings revealed by Alice and W are fixed, no matter what 
Eve does, the resulting R'^ is a function of Y and is still independent of X3. Moreover since Eve 
can only change a probability mass of y/e, is y/e± + \/e = l/poly(/c)-close to uniform. Note the 
probability of typical fixings of (W = w, X2 = £2) is at least 1 — \fe — yfe\ — y/e — yfe = 1 — l/poly(/c). 
Therefore we have shown that 

[Condition 3] With probability 1 — l/poly(/c) over the fixings of W = w,X2 = X2,Xi = x±, 
i?3 is l/poly(A:)-close to uniform, X3 has min-entropy 0.9k@ and R'l and X3 are independent. 

Therefore by the property of the strong extractor Ext, we have 

\{S X ,R!D- (17,401 <l/poly(fc). 

Note that we have fixed W = w, X2 = X2,X± = xi, and we can now further fix i? 3 ' = r 3 '. After 
this fixing S x is just a function of X and is independent of Y, and is thus also independent of S y 
(which now is a function of Y). Thus we have fixed all possible information that Eve could know 
about X and S x is still close to uniform. Therefore S x can be treated as local private random bits 
of Bob. 

Therefore, we have eventually shown that 

\{S x ,S y ,X u Y u W) - (U X ,U V ,X U Y U W)\ < l/poly(fc). 

Note that now the entire transcript V up till now is a deterministic functions of W, X\ , Y\ . 
Therefore we also have 

\(S x ,S y ,V,W)-(U x ,U y ,V,W)\ < l/poly(A;). 

Note that the transcript has length at most /c 7 . Therefore by Lemma 3.14 with probability 
1 — 2~ fcf!(1> over the fixings of the transcript, W still has min-entropy at least k — Thus the 

theorem is proved. ■ 

Now all we need to do is to plug in any privacy amplification protocol in [RW03, KR09, DW09, 
CKOR10] to obtain Theorem 1.7. 

7 Conclusions and Open Problems 

In this paper we investigated two questions about the local randomness in privacy amplification 
with an active adversary. The first is what is the minimum number of local random bits needed 
and the second is whether privacy amplification can be achieved when the two parties only have 
access to local weak random sources. 

For the first question, we showed that Q(£ + logn) local random bits suffice to achieve security 
parameter £, as long as the shared weak random source W has min-entropy nP for an arbitrary 
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constant < /3 < 1. For the second question, we give positive answers and show that if the local 
weak random sources have entropy rate > 1/2, then we can do essentially as good as if we have 
local uniform random bits. In the case where the local weak random sources have arbitrarrily linear 
entropy, we show that we can achieve a security parameter of fi(logfc), where k is the min-entropy 
of the shared weak random source W. 

It is interesting to compare our results and other results in privacy amplification, to the results 
in the context of randomness extraction. For example, the case where Alice and Bob have access 
to local random bits can be compared to the construction of seeded extractors. Both problems 
are known to have optimal solutions non-constructively. However in the case of extractors, we 
now have constructions that are asymptotically optimal in all parameters [GUV07, DW08]. In 
the privacy amplification case, we only have constructions that are optimal in each one of the 
parameters: [DW09] optimizes the round complexity, [CKOR10] optimizes the entropy loss and 
our result optimizes the randomness complexity. It is therefore a natural open problem to come 
up with protocols that are optimal in all these three parameters. Also, our result only works for 
entropy n 13 , thus it would be interesting to construct new protocols that work for entropy as small 
as k = polylog(ra). 

The case where Alice and Bob only have access to local weak random sources can be compared 
to the construction of 3-source extractors. In fact, a privacy amplification protocol in this case gives 
a construction of 3-source extractor. Since currently the best known 3-source extractor requires 
at least one source to have min-entropy n [Rao06], we do not hope to improve the entropy 
requirement of our results by much (actually our protocol can also deal with slightly sub-linear 
entropy) in the near future. Indeed to achieve this goal would require new techniques in constructing 
extractors for independent sources. However, for a 3-source extractor we can achieve error 2~ k ° W , 
while our protocol only achieves l/poly(fe). Thus the natural open problem here is to try to improve 
the security parameter to k^\ 

It is also interesting to compare our protocols for local weak random sources to the protocols of 
network extractors [KLRZ08, KLR09]. There the adversary is sort of passive, in the sense that she 
doesn't change the messages sent between honest parties. Here the adversary is completely active. 
Thus our results here can be viewed as an extension of [KLRZ08, KLR09] in the two party case. 
Thus it would be interesting to study network extractors with an active adversary. 
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A Proof Sketch for Theorem 3.10 

Here we give a proof sketch for Theorem 3.10. The algorithm is essentially the same as that in the 
proof of Theorem 7.5 in [BRSW06], which works by first converting the two sources into a convex 
combination of two independent aligned somewhere random sources, then using the condenser from 
[Rao06]. The proof is also essentially the same, except for the following differences. First, in that 
theorem the somewhere random source has A; 7 rows, while here it only has a constant number of 
rows. Second, in that theorem the extractor outputs k — k n ^ bits with error 2 _fcn(1) . Here we only 
want to output Q,(k) bits, but the error is 2~ Q ( k \ In other words, we want the optimal dependence 
on the error and pay a price at the output length. 

The reason for the difference comes from two aspects. First, since the somewhere random source 
in [BRSW06] has A; 7 rows, the slice chosen can only have width k^ 1 ', which results in an error 
of 2 _fcf2(1) . Second, the strong seeded extractors used in [BRSW06] cannot achieve error 2~ n ^ n \ 
We thus adjust the parameters accordingly and use a different construction of seeded extractors to 
achieve the optimal error. 

First, since here the somewhere random source only has a constant number of rows, we can 
afford to use slices of width Q(k) in each step. Second, we use Raz's extractor from Theorem 3.11 
as the strong seeded extractor. Raz's extractor is actually a strong 2-source extractor for one 
source with entropy rate > 1/2 and another independent weak source. We use it as a strong seed 
extractor s.t. the random seed of length Q(k) is used as the source with entropy rate > 1/2. Note 
that the output of Raz's extractor has length m linear in the minimum of the min-entropies of the 
two sources, and error 2~^ m >. By induction it's easy to see that now every source in the algorithm 
has min-entropy £l(k). Thus the error is 2~ n ^ in each step. Since the somewhere random source 
has only a constant number of rows we only need to condense the sources for a constant number 
of times. Thus the overall error is 2~ n ^ and the output length is £l(k). 
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